The tool applies the tiers of the EU AI Act (Regulation (EU) 2024/1689) in the order the Act itself imposes them. The first tier that matches decides the verdict — a prohibited practice is not "also" high-risk, it is banned.
Order of classification
- Prohibited practice (Art. 5) — social scoring, emotion inference in the workplace, untargeted scraping of facial images. Banned outright since 2 February 2025, whatever else is true.
- High-risk, Annex III (Art. 6(2)) — for finance, the named use cases are creditworthiness evaluation and credit scoring of natural persons (point 5(b)) and risk assessment and pricing in life and health insurance (point 5(c)). Employment screening (point 4) and biometric identification (point 1) apply to any employer.
- GPAI (Art. 51-55) — obligations attach to whoever places a general-purpose model on the market. Consuming a third-party API does not. Fine-tuning one only makes you the provider of the modified model if the modification's training compute exceeds roughly a third of the original's (indicative criterion, Commission GPAI guidelines of 18 July 2025) — a line adapter-tuning does not come close to. The systemic-risk presumption sits at 1025 FLOPs.
- Transparency (Art. 50) — disclose that a user is talking to an AI, and mark synthetic content. Applies regardless of risk tier.
- Minimal risk — no substantive AI Act obligation. Article 4 still asks providers and deployers to take measures supporting the AI literacy of their staff; the Digital Omnibus softened this from "ensure a sufficient level", and it does not require guaranteeing any particular level for any individual.
The two traps this tool is built around
- Fraud detection and AML are not Annex III. Point 5(b) explicitly carves out "AI systems used for the purpose of detecting financial fraud". They are commonly and wrongly scoped as high-risk. They can still become high-risk through how they are used, so the tool flags them for review rather than clearing or condemning them.
- Buying a model does not keep you a deployer. A financial entity that purchases a high-risk system is a deployer (Art. 26). But under Art. 25 it becomes a provider — with the full Art. 16 obligations, conformity assessment and CE marking — if it puts its own name or trademark on the system, substantially modifies it, or changes its intended purpose. Fine-tuning a bought scoring model on your own book is exactly this.
Dates used
- Prohibitions (Art. 5) and AI literacy (Art. 4): in force since 2 Feb 2025. GPAI: since 2 Aug 2025.
- Transparency (Art. 50): 2 August 2026. The machine-readable marking of AI-generated content carries a grace period to 2 December 2026.
- The Omnibus also added a new prohibition — AI generating non-consensual intimate imagery — applying from 2 December 2026.
- Stand-alone Annex III high-risk: 2 December 2027, and AI embedded in regulated products (Annex I): 2 August 2028 — both deferred by the Digital Omnibus on AI, agreed by the Council on 29 June 2026.
Penalties (Art. 99)
- Prohibited practices: up to €35m or 7% of worldwide annual turnover, whichever is higher.
- Most other duties, including all deployer obligations: up to €15m or 3%.
- Supplying incorrect or misleading information to authorities: up to €7.5m or 1%. For SMEs, the lower of the two figures applies.
Basis: Regulation (EU) 2024/1689, Art. 4, 5, 6, 16, 25, 26, 50, 51-55, 99, 113 and Annex III. Deadlines and Art. 4 wording as amended by the Digital Omnibus on AI (Council green light, 29 June 2026).